Chain of Custody: What IT Needs to Know for Legal Holds

Managing document preservation for litigation and regulatory matters remains one of the most distressing eDiscovery challenges. Recent court decisions reinforce the importance of a business’s duty to preserve electronically-stored information. It’s an issue for the organization’s legal staff — but also presents challenges for enterprise IT.

Legal and IT departments sometimes need to reconnect to understand one another’s needs; perhaps this explanation can shed some light.

Chain of custody refers to the movement and location of physical evidence from the time it is obtained until the time it is presented in court. And, more and more, IT departments are called upon to protect corporate data for legal needs.

Veteran attorneys and review teams are aware that making a eDiscovery project successful requires adherence to established processes and gathering evidence that can be proven in a court of law. eDiscovery experts always work backwards in a case to drive favorable outcomes.

There are major risks associated with the authenticity of electronically-stored information (ESI) due to the ease with which ESI can be modified as it moves from one phase of eDiscovery to the next. Hence, it is essential to ensure defensible reporting that demonstrates who, when, how, and what ESI was preserved, collected, and processed.

For example, imagine a contested wrongful termination case, in which a court orders seizure of a CEO’s corporate laptop. As part of the litigation, all of the CEO’s email messages and corporate data is collected by the counsel acting for the company. Now when collection for such a data set happens, there may be questions on the methodology used, whether any of the email messages were tampered with, and which individual was responsible for performing this collection process. With so many moving parts, the CEO’s counsel may object to the produced ESI itself. The admissibility hinges on the ESI’s complete foundation and on the legal-and-IT ability to verify the integrity of the files produced as evidence.

eDiscovery and Challenges for Enterprise IT

IT staff working for large enterprises in heavily-regulated industries have to figure out answers to questions like these:

How to automate data collection for a litigation or investigation

How to reduce the risk associated with data spoliation through self-preservation

How to prove the authenticity of ESI produced as evidence in court

This becomes an incredibly complex affair, especially for customers who have a mobile, globally distributed workforce and data distributed across disparate data sources — everything from tablet computers to cloud applications, such as Microsoft Office 365. And… isn’t that just about everyone?

IT managers often are hassled when attorneys and investigators request records related to a legal hold policy. IT is asked to provide details on the custodian, date, and time when the custodian was placed on hold, the data collected for the custodian as part of a legal hold, and details about the administrator who executed the legal hold. Attorneys may also need a granular report that captures the file-specific metadata attributes, such as creation time, modification time, file size, and a SHA1/MD5 checksum at the time of producing data in court.

Litigation support admins, investigators, and IT admins have explained to us at Druva that the most common way they address these requirements is to take screenshots of data collected from custodians as well as from Web applications (for example, LinkedIn, Salesforce.com’s Chatter, and Yammer). But it’s not a good solution. “Legal process by screenshot” can be a frustratingly time-consuming process given the number of screen captures required for a single user account. Moreover, this process completely fails to maintain a defensible trail of collected data that enables legal counsel to and authenticate the ESI being produced as evidence in a court of law.

The purpose of a chain of custody report is to prove that the authenticity of the data collected has been maintained across all the stages of eDiscovery and to maintain a defensible trail of data collected for a litigation or investigation. Legacy eDiscovery vendors required customers to manually collect data to network shares or portable drives as a case progressed through different stages of the eDiscovery lifecycle. This approach increases the spoliation risk. It also has problems in maintaining a defensible trail of collected data. For example, meta-data attributes (such as date accessed, modification, and creation timestamps) can be tampered with when copying data from one source to another, unless sophisticated technologies are used.

inSync also collects and preserves a SHA1 hash for each file that is collected from a custodian as part of a litigation or investigation. Apart from a detailed Chain of Custody report for each legal hold policy, Druva’s customers can leverage pre-built eDiscovery connectors for Recommind and AccessData to authenticate files produced as evidence at any stage of the eDiscovery process. Customers who do not have a dedicated eDiscovery tool in use can also make use of open source HTTP clients that offer hash verification functions for this purpose.

1 Comment

While I agree totally with the need for complete and comprehensive Chain of Custody documentation, I would take the discussion one level higher. Obviously, every company should have a Legal Hold Policy; they also should have detailed processes that outline how the policy is implemented, with procedures describing each process in detail. Chain of custody is an integral piece to be included in the process/procedure documentation. It is not an “after-thought”, but very important.